Written by Phil Turner for Okta.
In a document released this year by British intelligence and security organisation, GCHQ, it was revealed that the firm has called for firms to ban BYOD. In the report, the organisation claims staff represent the “weakest link in the security chain” and can, whether it is intentional or not, be responsible for leaking data to foreign espionage agencies.
A knee-jerk reaction to ban BYOD is not an effective solution given our knowledge of the emergence of “Shadow IT” and the increase in productivity BYOD offers employees. While humans are undoubtedly the weakest link in the security chain, policies, tools and education can go a long way in mitigating the risk that comes with the with the cloud revolution and BYOD. The right question to ask isn’t, “how can we stop employees from BYOD?,” it’s “how can we give our employees simple policies and tools to help them be productive and secure at work?.” Security and productivity don’t have to be an ‘either/or.’
Below are two recommendations to mitigate common BYOD risks:
Create password: qwerty123
While the cloud initially makes it easier for users to access business applications from multiple devices, users must now keep track of multiple URLs, user names and passwords to get access to their applications – each of which has different password requirements and expiration cycles.
As a result, many employees suffer from “password fatigue”— using obvious or re-used passwords often written down on Post-It notes or saved in Excel files on laptops. This means that if someone gets their hands on this password, not only would they have access to that specific application, but all applications the employee uses across the business.
The problem is not just confined to internal employees, but reaches across the extended enterprise. Our research showed that 70 percent of organisations surveyed use portals comprised of multiple applications to engage with partners, customers and other external users. In reality, to do business in the modern digital economy, organisations must open their virtual doors to partners and services providers by allowing them access to data and information.
Instead of banning BYOD, businesses should educate employees and partners about the dangers of re-using passwords when accessing multiple applications through their various devices. However, it’s unreasonable to expect employees to remember a whole host of different passwords. To mitigate the human risk in security, organisations should combine a mix of technology and education. As well as circulating advice and guidelines to employees, this means adopting technology that can alleviate these concerns by providing single sign-on (a single user name and password) across all of these applications.
Hand in your keys and password on the way out
Another threat is the departure of key employees and the loss of confidential and sensitive data. For organisations with a high employee turnover, the process of creating and deleting new user accounts can be daunting. So it’s not uncommon for companies to overlook the termination of users’ accounts after they have left.
While the IT department can centrally revoke access to email and corporate networks, companies have to rely on external application administrators to withdraw the employee’s access to each cloud application which can leave the company in a vulnerable position. Not only does this provide ex-employees with access to privileged information after they leave, but further consequences include failure to adhere to compliance rules and failure of the company’s information security audit.
Organisations can advise employees to delete all accounts when they leave, but there’s no guarantee they will do it. Instead businesses should look towards identity and access management services that can provide automated user de-provisioning across all on-premises and all cloud based applications. Only this will provide business leaders with the peace of mind that once an employee has left the company, the company’s data hasn’t left with them. The fact is, BYOD is here to stay. Removing it is impractical and outdated advice, but organisations can mitigate risks by implementing a policy and taking the time and resources to educate employees.